def get_status(self, host, port, path):
self.instance.export_ca_cert()
connection = PKIConnection(protocol='https',
hostname=host,
port=port,
cert_paths=self.instance.ca_cert)
response = connection.get(path)
content_type = response.headers['Content-Type']
content = response.text
logger.info('Content:\n%s', content)
# https://github.com/dogtagpki/pki/wiki/GetStatus-Service
if content_type == 'application/json':
json_response = json.loads(content)
status = json_response['Response']['Status']
elif content_type == 'application/xml':
root = ET.fromstring(content)
status = root.findtext('Status')
else:
raise Exception('Unsupported content-type: %s' % content_type)
logger.info('Status: %s', status)
return status
def connection(self):
connection = PKIConnection(protocol=self.protocol,
hostname=self.hostname,
port=self.port)
connection.set_authentication_cert(self.cert)
client = CertClient(connection)
return client
def __init__(self, conf=CONF):
"""Constructor - create the keyclient"""
pem_path = conf.dogtag_crypto_plugin.pem_path
if pem_path is None:
raise ValueError(_("pem_path is required"))
pem_password = conf.dogtag_crypto_plugin.pem_password
if pem_password is None:
raise ValueError(_("pem_password is required"))
crypto = None
create_nss_db = False
nss_db_path = conf.dogtag_crypto_plugin.nss_db_path
if nss_db_path is not None:
nss_password = conf.dogtag_crypto_plugin.nss_password
if nss_password is None:
raise ValueError(_("nss_password is required"))
if not os.path.exists(nss_db_path):
create_nss_db = True
cryptoutil.NSSCryptoUtil.setup_database(
nss_db_path, nss_password, over_write=True)
crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password)
# set up connection
connection = PKIConnection('https',
conf.dogtag_crypto_plugin.drm_host,
conf.dogtag_crypto_plugin.drm_port,
'kra')
connection.set_authentication_cert(pem_path)
# what happened to the password?
# until we figure out how to pass the password to requests, we'll
# just use -nodes to create the admin cert pem file. Any required
# code will end up being in the DRM python client
#create kraclient
kraclient = KRAClient(connection, crypto)
self.keyclient = kraclient.keys
self.systemcert_client = kraclient.system_certs
if crypto is not None:
if create_nss_db:
# Get transport cert and insert in the certdb
transport_cert = self.systemcert_client.get_transport_cert()
tcert = transport_cert[
len(pki.CERT_HEADER):
len(transport_cert) - len(pki.CERT_FOOTER)]
crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK,
base64.decodestring(tcert), "u,u,u")
crypto.initialize()
self.keyclient.set_transport_cert(
DogtagCryptoPlugin.TRANSPORT_NICK)
def __init__(self, conf=CONF):
"""Constructor - create the keyclient."""
pem_path = conf.dogtag_crypto_plugin.pem_path
if pem_path is None:
raise ValueError(u._("pem_path is required"))
pem_password = conf.dogtag_crypto_plugin.pem_password
if pem_password is None:
raise ValueError(u._("pem_password is required"))
crypto = None
create_nss_db = False
nss_db_path = conf.dogtag_crypto_plugin.nss_db_path
if nss_db_path is not None:
nss_password = conf.dogtag_crypto_plugin.nss_password
if nss_password is None:
raise ValueError(u._("nss_password is required"))
if not os.path.exists(nss_db_path):
create_nss_db = True
cryptoutil.NSSCryptoUtil.setup_database(nss_db_path,
nss_password,
over_write=True)
crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password)
# set up connection
connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host,
conf.dogtag_crypto_plugin.drm_port, 'kra')
connection.set_authentication_cert(pem_path)
# what happened to the password?
# until we figure out how to pass the password to requests, we'll
# just use -nodes to create the admin cert pem file. Any required
# code will end up being in the DRM python client
#create kraclient
kraclient = KRAClient(connection, crypto)
self.keyclient = kraclient.keys
self.systemcert_client = kraclient.system_certs
if crypto is not None:
if create_nss_db:
# Get transport cert and insert in the certdb
transport_cert = self.systemcert_client.get_transport_cert()
tcert = transport_cert[len(pki.CERT_HEADER
):len(transport_cert) -
len(pki.CERT_FOOTER)]
crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK,
base64.decodestring(tcert), "u,u,u")
crypto.initialize()
self.keyclient.set_transport_cert(
DogtagCryptoPlugin.TRANSPORT_NICK)
def check_ca_clones(self):
for host in self.clone_cas:
cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
# Reach out and get some certs, to serve as a data and connectivity check
try:
connection = PKIConnection(protocol='https',
hostname=host.Hostname,
port=host.SecurePort,
verify=False)
cert_client = CertClient(connection)
# get the first 3 in case we cant to make a sanity check of replicated data
certs = cert_client.list_certs(size=3)
if certs is not None and len(certs.cert_data_info_list) == 3:
logger.info('Cert data successfully obtained from clone.')
else:
raise BaseException('CA clone problem reading data.' +
cur_clone_msg)
except BaseException as e:
logger.error("Internal server error %s", e)
raise BaseException('Internal error testing CA clone.' +
cur_clone_msg)
return
def get_security_domain():
"""
Get the security domain from the REST interface on the local Dogtag CA
This function will succeed if the local dogtag CA is up.
"""
connection = PKIConnection()
domain_client = pki.system.SecurityDomainClient(connection)
info = domain_client.get_security_domain_info()
return info
def get_security_domain():
"""
Get the security domain from the REST interface on the local Dogtag CA
This function will succeed if the local dogtag CA is up.
"""
connection = PKIConnection(protocol='https',
hostname=api.env.ca_host,
port='8443')
domain_client = pki.system.SecurityDomainClient(connection)
info = domain_client.get_security_domain_info()
return info
def get_security_domain_data(self, host, port):
domain_data = None
try:
connection = PKIConnection(protocol='http',
hostname=host,
port=port,
verify=False)
securityDomainClient = SecurityDomainClient(connection)
domain_data = securityDomainClient.get_domain_info()
except BaseException as e:
logger.error("Internal server error %s", e)
return domain_data
systems = domain_data.subsystems
for s in systems.values():
for h in s.hosts.values():
if s.id == 'CA':
if h.Clone == 'TRUE':
self.clone_cas.append(h)
else:
self.master_cas.append(h)
elif s.id == 'KRA':
if h.Clone == 'TRUE':
self.clone_kras.append(h)
else:
self.master_kras.append(h)
elif s.id == 'OCSP':
if h.Clone == 'TRUE':
self.clone_ocsps.append(h)
else:
self.master_ocsps.append(h)
elif s.id == 'TPS':
if h.Clone == 'TRUE':
self.clone_tpss.append(h)
else:
self.master_tpss.append(h)
elif s.id == 'TKS':
if h.Clone == 'TRUE':
self.clone_tkss.append(h)
else:
self.master_tkss.append(h)
return domain_data
def run_test(protocol, hostname, port, client_cert, certdb_dir,
certdb_password):
""" test code execution """
# set up the connection to the DRM, including authentication credentials
connection = PKIConnection(protocol, hostname, port, 'kra')
connection.set_authentication_cert(client_cert)
# create kraclient
crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password)
kraclient = KRAClient(connection, crypto)
keyclient = kraclient.keys
# Get transport cert and insert in the certdb
transport_nick = "kra transport cert"
transport_cert = kraclient.system_certs.get_transport_cert()
print("Subject DN: " + transport_cert.subject_dn)
print(transport_cert.encoded)
crypto.import_cert(transport_nick, transport_cert)
# initialize the certdb for crypto operations
# for NSS db, this must be done after importing the transport cert
crypto.initialize()
# set transport cert into keyclient
keyclient.set_transport_cert(transport_nick)
# Test 2: Get key request info
print("Now getting key request")
try:
key_request = keyclient.get_request_info('2')
print_key_request(key_request)
except pki.RequestNotFoundException:
pass
# Test 3: List requests
print("Now listing some requests")
keyrequests = keyclient.list_requests('complete', 'securityDataRecovery')
print(keyrequests.key_requests)
for request in keyrequests.key_requests:
print_key_request(request)
# Test 4: generate symkey -- same as barbican_encode()
print("Now generating symkey on KRA")
client_key_id = "Vek #1" + time.strftime('%c')
algorithm = "AES"
key_size = 128
usages = [
key.SymKeyGenerationRequest.DECRYPT_USAGE,
key.SymKeyGenerationRequest.ENCRYPT_USAGE
]
response = keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
print_key_request(response.request_info)
print("Request ID is " + response.request_info.get_request_id())
key_id = response.get_key_id()
# Test 5: Confirm the key_id matches
print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"")
key_infos = keyclient.list_keys(client_key_id=client_key_id,
status=keyclient.KEY_STATUS_ACTIVE)
key_id2 = None
for key_info in key_infos.key_infos:
print_key_info(key_info)
key_id2 = key_info.get_key_id()
if key_id == key_id2:
print("Success! The keys from generation and search match.")
else:
print("Failure - key_ids for generation do not match!")
# Test 6: Barbican_decode() - Retrieve while providing
# trans_wrapped_session_key
session_key = crypto.generate_session_key()
wrapped_session_key = crypto.asymmetric_wrap(session_key,
keyclient.transport_cert)
print("My key id is " + str(key_id))
key_data = keyclient.retrieve_key(
key_id, trans_wrapped_session_key=wrapped_session_key)
print_key_data(key_data)
unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data,
session_key,
nonce_iv=key_data.nonce_data)
key1 = b64encode(unwrapped_key)
# Test 7: Recover key without providing trans_wrapped_session_key
key_data = keyclient.retrieve_key(key_id)
print_key_data(key_data)
key2 = b64encode(key_data.data)
# Test 8 - Confirm that keys returned are the same
if key1 == key2:
print("Success: The keys returned match! Key = " + str(key1))
else:
print("Failure: The returned keys do not match!")
print("key1: " + key1)
print("key2: " + key2)
# Test 10 = test BadRequestException on create()
print("Trying to generate a new symkey with the same client ID")
try:
keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 11 - Test RequestNotFoundException on get_request_info
print("Try to list a nonexistent request")
try:
keyclient.get_request_info('200000034')
except pki.RequestNotFoundException as exc:
print("RequestNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 12 - Test exception on retrieve_key.
print("Try to retrieve an invalid key")
try:
keyclient.retrieve_key('2000003434')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 13 = getKeyInfo
print("Get key info for existing key")
key_info = keyclient.get_key_info(key_id)
print_key_info(key_info)
# Test 14: get the active key
print("Get the active key for client id: " + client_key_id)
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
# Test 15: change the key status
print("Change the key status")
keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE)
print_key_info(keyclient.get_key_info(key_id))
# Test 16: Get key info for non-existent key
print("Get key info for non-existent key")
try:
keyclient.get_key_info('200004556')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 17: Get key info for non-existent active key
print("Get non-existent active key")
try:
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
except pki.ResourceNotFoundException as exc:
print("ResourceNotFoundException thrown - Code: " + exc.code +
"Message: " + exc.message)
# Test 18: Generate a symmetric key with default parameters
client_key_id = "Vek #3" + time.strftime('%c')
response = keyclient.generate_symmetric_key(client_key_id)
print_key_request(response.request_info)
# Test 19: Try to archive key
print("try to archive key")
print("key to archive: " + key1)
client_key_id = "Vek #4" + time.strftime('%c')
response = keyclient.archive_key(client_key_id,
keyclient.SYMMETRIC_KEY_TYPE,
b64decode(key1),
key_algorithm=keyclient.AES_ALGORITHM,
key_size=128)
print_key_request(response.request_info)
# Test 20: Lets get it back
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
key_data = keyclient.retrieve_key(key_info.get_key_id())
print_key_data(key_data)
key2 = b64encode(key_data.data)
if key1 == key2:
print("Success: archived and recovered keys match")
else:
print("Error: archived and recovered keys do not match")
print()
# Test 20: Generating asymmetric keys
print("Generating asymmetric keys")
try:
response = keyclient.generate_asymmetric_key("Vek #5" +
time.strftime('%c'),
algorithm="RSA",
key_size=1024,
usages=None)
print_key_request(response.request_info)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 21: Get key information of the newly generated asymmetric keys
print("Retrieving key information")
key_info = keyclient.get_key_info(response.request_info.get_key_id())
print_key_info(key_info)
parser = argparse.ArgumentParser()
parser.add_argument("--hostname", help="<CA hostname>")
parser.add_argument("--port", help="<CA Port Number>")
parser.add_argument("--client-cert", help="path for admin.pem certificate")
parser.add_argument("--number-of-clients", help="Number of thread", type=int)
parser.add_argument("--number-of-tests-per-client", help="Number of test per thread", type=int)
parser.add_argument("--ca-cert-path", help="path for CA signing certifcate")
log = logging.getLogger()
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
args = parser.parse_args()
# Create a PKIConnection object that stores the details of the CA.
connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path)
# The pem file used for authentication. Created from a p12 file using the
# command -
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes
connection.set_authentication_cert(args.client_cert)
# Instantiate the CertClient
cert_client = CertClient(connection)
class cert_enroll(object):
"""
#This class will enroll the certificate.
"""
def run_test(protocol, hostname, port, client_cert, certdb_dir,
certdb_password):
""" test code execution """
# set up the connection to the DRM, including authentication credentials
connection = PKIConnection(protocol, hostname, port, 'kra')
connection.set_authentication_cert(client_cert)
# create kraclient
crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password)
kraclient = KRAClient(connection, crypto)
keyclient = kraclient.keys
# Get transport cert and insert in the certdb
transport_nick = "kra transport cert"
transport_cert = kraclient.system_certs.get_transport_cert()
print("Subject DN: " + transport_cert.subject_dn)
print(transport_cert.encoded)
crypto.import_cert(transport_nick, transport_cert)
# initialize the certdb for crypto operations
# for NSS db, this must be done after importing the transport cert
crypto.initialize()
# set transport cert into keyclient
keyclient.set_transport_cert(transport_nick)
# Test 2: Get key request info
print("Now getting key request")
try:
key_request = keyclient.get_request_info('2')
print_key_request(key_request)
except pki.RequestNotFoundException:
pass
# Test 3: List requests
print("Now listing some requests")
keyrequests = keyclient.list_requests('complete', 'securityDataRecovery')
print(keyrequests.key_requests)
for request in keyrequests.key_requests:
print_key_request(request)
# Test 4: generate symkey -- same as barbican_encode()
print("Now generating symkey on KRA")
client_key_id = "Vek #1" + time.strftime('%c')
algorithm = "AES"
key_size = 128
usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE,
key.SymKeyGenerationRequest.ENCRYPT_USAGE]
response = keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
print_key_request(response.request_info)
print("Request ID is " + response.request_info.get_request_id())
key_id = response.get_key_id()
# Test 5: Confirm the key_id matches
print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"")
key_infos = keyclient.list_keys(client_key_id=client_key_id,
status=keyclient.KEY_STATUS_ACTIVE)
key_id2 = None
for key_info in key_infos.key_infos:
print_key_info(key_info)
key_id2 = key_info.get_key_id()
if key_id == key_id2:
print("Success! The keys from generation and search match.")
else:
print("Failure - key_ids for generation do not match!")
# Test 6: Barbican_decode() - Retrieve while providing
# trans_wrapped_session_key
session_key = crypto.generate_session_key()
wrapped_session_key = crypto.asymmetric_wrap(session_key,
keyclient.transport_cert)
print("My key id is " + str(key_id))
key_data = keyclient.retrieve_key(
key_id, trans_wrapped_session_key=wrapped_session_key)
print_key_data(key_data)
unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data,
session_key,
nonce_iv=key_data.nonce_data)
key1 = b64encode(unwrapped_key)
# Test 7: Recover key without providing trans_wrapped_session_key
key_data = keyclient.retrieve_key(key_id)
print_key_data(key_data)
key2 = b64encode(key_data.data)
# Test 8 - Confirm that keys returned are the same
if key1 == key2:
print("Success: The keys returned match! Key = " + str(key1))
else:
print("Failure: The returned keys do not match!")
print("key1: " + key1)
print("key2: " + key2)
# Test 10 = test BadRequestException on create()
print("Trying to generate a new symkey with the same client ID")
try:
keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 11 - Test RequestNotFoundException on get_request_info
print("Try to list a nonexistent request")
try:
keyclient.get_request_info('200000034')
except pki.RequestNotFoundException as exc:
print("RequestNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 12 - Test exception on retrieve_key.
print("Try to retrieve an invalid key")
try:
keyclient.retrieve_key('2000003434')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 13 = getKeyInfo
print("Get key info for existing key")
key_info = keyclient.get_key_info(key_id)
print_key_info(key_info)
# Test 14: get the active key
print("Get the active key for client id: " + client_key_id)
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
# Test 15: change the key status
print("Change the key status")
keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE)
print_key_info(keyclient.get_key_info(key_id))
# Test 16: Get key info for non-existent key
print("Get key info for non-existent key")
try:
keyclient.get_key_info('200004556')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 17: Get key info for non-existent active key
print("Get non-existent active key")
try:
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
except pki.ResourceNotFoundException as exc:
print("ResourceNotFoundException thrown - Code: " + exc.code +
"Message: " + exc.message)
# Test 18: Generate a symmetric key with default parameters
client_key_id = "Vek #3" + time.strftime('%c')
response = keyclient.generate_symmetric_key(client_key_id)
print_key_request(response.request_info)
# Test 19: Try to archive key
print("try to archive key")
print("key to archive: " + key1)
client_key_id = "Vek #4" + time.strftime('%c')
response = keyclient.archive_key(client_key_id,
keyclient.SYMMETRIC_KEY_TYPE,
b64decode(key1),
key_algorithm=keyclient.AES_ALGORITHM,
key_size=128)
print_key_request(response.request_info)
# Test 20: Lets get it back
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
key_data = keyclient.retrieve_key(key_info.get_key_id())
print_key_data(key_data)
key2 = b64encode(key_data.data)
if key1 == key2:
print("Success: archived and recovered keys match")
else:
print("Error: archived and recovered keys do not match")
print()
# Test 20: Generating asymmetric keys
print("Generating asymmetric keys")
try:
response = keyclient.generate_asymmetric_key(
"Vek #5" + time.strftime('%c'),
algorithm="RSA",
key_size=1024,
usages=None
)
print_key_request(response.request_info)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 21: Get key information of the newly generated asymmetric keys
print("Retrieving key information")
key_info = keyclient.get_key_info(response.request_info.get_key_id())
print_key_info(key_info)
def check(self):
if not self.instance.exists():
logger.debug('Invalid instance: %s', self.instance.name)
yield Result(self,
constants.CRITICAL,
msg='Invalid PKI instance: %s' % self.instance.name)
return
self.instance.load()
ca = self.instance.get_subsystem('ca')
if not ca:
logger.info(
"No CA configured, skipping dogtag CA connectivity check")
return
try:
# Make a plain HTTP GET request to /ca/admin/ca/getStatus REST api end point
# and check if the CA is ready
if ca.is_ready():
logger.debug("CA instance is running")
# Make a plain HTTPS GET to "find" one certificate, to test that
# the server is up AND is able to respond back
connection = PKIConnection(protocol='https',
hostname='localhost',
port='8443',
verify=False)
cert_client = CertClient(connection)
cert = cert_client.list_certs(size=1)
cert_info = cert.cert_data_info_list[0]
if cert_info:
# All we care is whether the serial_number is not NONE
if cert_info.serial_number:
logger.info("Serial number of retrieved cert: %s",
cert_info.serial_number)
yield Result(self,
constants.SUCCESS,
serial_number=cert_info.serial_number,
subject_dn=cert_info.subject_dn)
else:
logger.info(
"Serial number cannot retrieved for cert: %s",
cert_info)
yield Result(
self,
constants.ERROR,
msg=
"Unable to read serial number from retrieved cert",
cert_info=cert_info,
serverURI=connection.serverURI,
cert_url=cert_client.cert_url)
else:
logger.info(
"Request was made but none of the certs were retrieved"
)
yield Result(
self,
constants.ERROR,
msg=
"PKI server is up. But, unable to retrieve any certs",
serverURI=connection.serverURI,
rest_path=cert_client.cert_url)
else:
yield Result(self,
constants.CRITICAL,
msg='CA subsystem is down')
except BaseException as e:
logger.error("Internal server error %s", e)
yield Result(self,
constants.CRITICAL,
msg="Internal server error. Is your CA subsystem and "
"LDAP database up?",
instance_name=self.instance.name,
exception="%s" % e)
def check(self):
if not self.instance.exists():
logger.debug('Invalid instance: %s', self.instance.name)
yield Result(self,
constants.CRITICAL,
msg='Invalid PKI instance: %s' % self.instance.name)
return
self.instance.load()
kra = self.instance.get_subsystem('kra')
if not kra:
logger.info(
"No KRA configured, skipping dogtag KRA connectivity check")
return
try:
# Make a plain HTTP GET request to /kra/admin/kra/getStatus REST api end point
# and check if the KRA is up
if kra.is_ready():
logger.info("KRA instance is running.")
# Make a plain HTTPS GET to retrieve KRA transport cert, to test that
# the server is up AND is able to respond back
connection = PKIConnection(protocol='https',
hostname='localhost',
port='8443',
verify=False)
system_cert_client = SystemCertClient(connection)
# This gets the KRA cert from CS.cfg via REST API. In future, the system
# certs will be moved into LDAP. This means that even if LDAP is down
# there will be a SUCCESSFUL response if KRA is running.
transport_cert = system_cert_client.get_transport_cert()
if transport_cert:
if transport_cert.serial_number:
logger.info(
"Serial number of retrieved transport cert: %s",
transport_cert.serial_number)
yield Result(
self,
constants.SUCCESS,
serial_number=transport_cert.serial_number,
subject_dn=transport_cert.subject_dn)
else:
logger.info(
"Serial number cannot retrieved for transport cert: %s",
transport_cert)
yield Result(
self,
constants.ERROR,
msg=
"Unable to read serial number from retrieved cert",
cert_info=transport_cert,
serverURI=connection.serverURI,
rest_path=system_cert_client.cert_url)
else:
logger.info(
"Request was made but the transport cert cannot be retrieved"
)
yield Result(
self,
constants.ERROR,
msg=
"KRA server is up. But, unable to retrieve transport cert",
serverURI=connection.serverURI,
rest_path=system_cert_client.cert_url)
else:
yield Result(self,
constants.CRITICAL,
msg='KRA subsystem is down')
except BaseException as e:
logger.error("Internal server error %s", e)
yield Result(
self,
constants.CRITICAL,
msg="Internal server error. Is your KRA subsystem and "
"LDAP database up?",
instance_name=self.instance.name,
exception="%s" % e)
